Check Point Forensics: CTB-Faker Ransomware

SandBlast Agent Forensics Introduction

The concept is quite simple: we run a malware sample on a PC in our malware lab, with all protections turned off, and let SandBlast Forensics automatically analyze it, providing comprehensive analysis of the security incident. In addition to the blog, we are thrilled to now provide you with access to the interactive forensic report. This is the same report that a CISO, Security Admin or Incident Responder would get with SandBlast Forensics. To view the interactive forensic report, simply click on any of the images below.

The forensic report is best viewed on wide screens with resolutions greater than 1280 x 768. The ideal browsers to view the report are Chrome and Firefox. However, the report works perfectly in Safari and Internet Explorer 11 and Edge. Older versions of IE will not display the report correctly.

Apparently, the name comes from the fact that the ransomware claims to be CTB in its ransom message. However, under the hood the two malwares are very different. The original CTB injected into the explorer.exe that started with the system, and then used explorer.exe to encrypt files. CTB-Faker uses scripts and WinRAR to accomplish the encryption.

So why does CTB-Faker use WinRAR? One of two potential reasons:

It is easy to do and requires very little expertise.

It would be hard to identify the WinRAR encryption and deletion as malicious.

All major compression programs like WinRAR, PK-Zip, WinZip etc. have a password protect mode. When the password is entered the final compressed file is encrypted and requires the password to decrypt. Another option that most major compression programs have is to delete the files after they have been compressed. This feature is utilized by CTB-Faker to delete all the files (i.e. user’s files) being encrypted.

So let us look at what the forensics report shows us.

Figure 2: Incident Tree including WinRAR. Click to open the interactive report.

The attack start occurs with the execution (double click) of ctb-faker.exe (PID 3424). Once run it spawns another copy of itself (PID 3336), this time asking the user for administrator rights. In the interactive report clicking on this process and then clicking on the Security tab shows that the process is now running with ADMIN rights. When the sample was first analyzed, the virus total reputation for ctb-faker.exe showed only 5 of 52 detections. You can see this in the report by clicking on the process and selecting the Reputation tab.

Figure 3: Files Created by CTB-Faker. Click to view all files in the interactive report.

As can be seen in Figure 3, clicking on the tab File Ops and viewing the created files for the process CTB-Faker (PID 3336) shows us that CTB-Faker downloaded a bunch of files related to WinRAR and also downloaded a few bat (batch) and vbs (Visual Basic Script) files.

Returning to Figure 2, we can see that four copies of wscript.exe are now launched with different vbs scripts created by CTB-Faker.

It is the first wscript process (PID 2472) that eventually leads to the process winrar (PID 4312) encrypting and deleting the user files. Here the arguments for this process are what reveal the most:

“C:\Users” Indicates all the files in folders and sub-folders stored in c:\users should be compressed/encrypted.

So basically, all the files in c:\users and its sub-folders that can be archived are encrypted and then deleted if possible. However, something was clearly wrong with the –x parameters, because all file types were zipped and encrypted on our machine.

Again looking at Figure 2, process wscript.exe PID 3580 is used to launch downloaded file startup.exe which in turn uses the registry to ensure persistence for the malware through dropped file help.exe.

Process wscript.exe PID 1440 launches a command line that creates the ransom message text on the root drive. This can be seen either in the suspicious event tab or the file ops tab of the process.

The malware causes the machine to shut down after encryption as noted earlier in the WinRAR argument passed. The ransom message UI is displayed on reboot by help.exe.

Figure 4: CTB-Faker Ransomware Message

So besides the fact that the real CTB was a more “sophisticated” attack, the claim that the attacker used SHA-512 and RSA-4096 is rather amusing. SHA-512 is a one way cryptographic hash algorithm and can’t really be used for encryption, and WinRAR which is used to encrypt the files uses AES 256.

Another interesting note is that no network connection is needed or used for exchange of keys. There is no network activity detected during the attack at all.

Oh yes, we then opened the file C:\Users.zip in WinRAR and asked it to extract its contents. We entered the password 4w1q3x5y8z and recovered all “encrypted” files.